Security Engineering

Ross Anderson

Mentioned 2

This reference guide to creating high quality security software covers the complete suite of security applications referred to as end2end security. It illustrates basic concepts of security engineering through real-world examples.

More on Amazon.com

Mentioned in questions and answers.

Which books are really MUST read for a person who attempts to create a critical parts of application(s) in security field, e.g. driver which are dealing with coding/decoding, firewall, kernel subsystem which rely on checking of rights/policies, a secure mail client, etc.

Are there any specific books covering applied C programming topics in field like this? Like how to design/write secure code, what are the common attacks your program must be resistant to and the like?

In my opinion, these are must-reads:

Cryptography in C and C++ - http://www.amazon.com/Cryptography-C-Michael-Welschenbach/dp/1590595025/

Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More - http://www.amazon.com/Secure-Programming-Cookbook-Cryptography-Authentication/dp/0596003943/

Cryptography Engineering: Design Principles and Practical Applications - http://www.amazon.com/Cryptography-Engineering-Principles-Practical-Applications/dp/0470474246/

Security Metrics: Replacing Fear, Uncertainty, and Doubt - http://www.amazon.com/Security-Metrics-Replacing-Uncertainty-Doubt/dp/0321349989/

Security Engineering: A Guide to Building Dependable Distributed Systems - http://www.amazon.com/Security-Engineering-Building-Dependable-Distributed/dp/0470068523/ (High-level, management issues, etc.)

The following book deserves honorable mention, although many experts repudiate it these days. However, some say it is the best book on the subject, so judge for yourself:

Applied Cryptography: Protocols, Algorithms, and Source Code in C, Second Edition - http://www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Source/dp/0471117099/

Although I might pretend very well that I know a thing about networks or security and it might help me pass an interview or fix a bug, I don't really feel I'm fooling anyone. I'm looking for laymen explanation of current network security concepts and solutions. The information is scattered around and I didn't find a resource for "dummies" like me (e.g experienced Java developers that can speak the jargon but have no real clue what it means).

Topics I have a weak notion about and want to understand better as a Java developer:

  • PGP
  • Public / Private keys
  • RSA / DES
  • SSL and 2 way SSL (keystore / trustore)
  • Protecting against Man in the middle fraud
  • Digital Signature and Certificates

Is there a resource out there that really explains it in a way that doesn't require a Cisco certificate / Linux lingo / know what is subnet masking or other plumbing skills?

Schneier's Applied Cryptography is how I learned most of what I know. I haven't read it, but expect Ross Anderson's Security Engineering would also be a good resource.

Realated tags

cnetworkingsecurity